The other shoe has dropped - maybe. Nearly two months after signs of a Yahoo data breach surfaced with leaked user credentials in the cybercrime underground, Yahoo today confirmed that it had suffered a cyberattack in late 2014 by what the company says was likely a nation-state actor.
Some 500 million Yahoo user accounts were stolen and Yahoo is working with law enforcement in an investigation of the attack. The announcement comes as Yahoo begins the process of selling its operating business to Verizon for some $4.83 billion in cash, a deal that was first announced late July. Security experts say this could be a record-breaking breach in terms of size.
Bob Lord, CISO at Yahoo, in a blog post today said the attackers stole "a copy of certain" Yahoo user account information, possibly including names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers. Most of the passwords were hashed with Bcrypt, while some security Q&As were encrypted, and some were not, he said.
Payment card and bank account information was not associated with the breached system, he said, so that information was not exposed.
"The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected," he said.
Yahoo's revelation today came after many Yahoo users reported receiving password-change emails over the past 24 hours, some with the subject line "secure your Yahoo account," with no explanation. Others received email notices of "suspicious activity" on their accounts and steps for resetting their passwords. ReCode this morning reported that Yahoo would be announcing a breach affecting "millions" of its users.
But the drama officially began unfolding publicly back in August when a hacker known as "Peace" or "Peace_of_Mind" began selling online what he advertised as some 200 million Yahoo user credentials. "Peace," who is known to be the co-founder of underground TheRealDeal Marketplace, had done the same with stolen LinkedIn and MySpace credentials in May of this year. At the time, Yahoo told Motherboard it was investigating the report.
Today's announcement is its first official confirmation of a cyberattack involving user credentials. Still unclear is whether the Peace incident is related to the newly revealed nation-state breach. And if so, whether that very same nation-state actor is responsible for the LinkedIn and MySpace attacks as well.
It's possible the two Yahoo credential breach incidents are separate attacks, notes Jeremiah Grossman, chief of security officer for SentinelOne and a former infosec officer at Yahoo. If the attackers were out of China, for example, he says, they wouldn't likely share or sell stolen information. "For all we know, these are separate breaches," he says, noting that the details of the two don't quite match up.
Nation-state cyber espionage typically is all about gathering intel about geopolitical information, intellectual property, or even inside information on a merger or other business deal. The attackers who hit Yahoo likely were fishing for access to Yahoo accounts that could get them either inside the company for its secrets, or access to some Yahoo user accounts for similar purposes.
Yahoo's dealings with Alibaba, for instance, would be of interest to a Chinese nation-state actor, Grossman notes. The attackers would "hack the system to figure out what Yahoo was negotiating and share with guys on their side, like a Chinese organization," for example, he explains.
If the attacks are related, however, Yahoo's response has confounded some experts. Why it took Yahoo nearly two months to confirm there was a breach, meanwhile potentially leaving Yahoo mail users' accounts dumped and vulnerable, is a question many are mulling today. "I would err on the side of caution and force a password change. It's better to be out in front of it than behind it," says Rick Holland, vice president of strategy at Digital Shadows.
"Let's be honest. If [Peace] was selling this in August, these credentials were already used in other [attack] campaigns long before that," he says.
Yahoo gave no details of how the nation-state hackers infiltrated the company's network, but experts say the most likely vector was the old reliable phishing attack fooling a Yahoo employee with either a malicious attachment or link that then downloaded malware that got the attackers a foothold into its network.
Grossman says that, like any large tech firm, Yahoo is a juicy target with its massive network presence. "It's a big attack surface," he says of Yahoo's massive infrastructure. "There's so much to defend … It's a hot target," so attacks are no surprise, he says.
Phishing attacks likely will be the number one possible fallout, with Yahoo user accounts being used as phish. Credential-stuffing, a brute-force attack where attackers inject stolen usernames and passwords into a website until they find a match, is another big risk.
But perhaps the biggest risk is to Yahoo users who reuse passwords among different accounts. According to a recent study by TeleSign, some 73% of online accounts use passwords that are duplicated among other accounts. Bottom line: Yahoo users whose stolen password is used on other sites need to change those accounts ASAP, too.
Yahoo doesn't require two-factor authentication, but the breach again demonstrates the time has come for this to become a standard for user authentication – for internal users and customers, experts say. The catch with this breach, however, is that the attackers have enough personal information on Yahoo users that they could still have hijacked an account with 2FA, Grossman says. "If you've got birthdays and addresses, you can log into an account," he says.
The good news: some of the stolen Yahoo account data was encrypted, assuming Yahoo has strong encryption practices.
"The good news is that the sensitive data that is now for sale, such as user names, email addresses and dates of birth, is encrypted, but these records could be easily decrypted if the company did not implement properly managed encryption keys," says Jason Hart, vice president and CTO of data protection at Gemalto.
Yahoo's Lord says there's "no evidence" the nation-state hackers are still resident in its network.
Yahoo recommends users change their passwords and security questions and answers for both Yahoo and any other accounts where they used the same passwords or similar security information. In addition, Yahoo says users should: